Love and hate under war: The GamaCopy organization, which
imitates the Russian Gamaredon, uses…
By Knownsec 404 team
Published: 2025-01-21 · Archived: 2026-04-05 16:42:50 UTC
Love and hate under war: The GamaCopy organization, which imitates the
Russian Gamaredon, uses military — related bait to launch attacks on Russia
Author：Knownsec 404 Advanced Threat Intelligence team
Date: January 21, 2025
中文版：https://paper.seebug.org/3269
Recently, our team discovered attack samples targeting Russian-speaking targets during threat hunting. In
addition, another related sample was also identified. Both samples follow the same operation process and use the
same bait theme.
Through the analysis and association of the samples, the following characteristics are presented in this sample:
1. Initiate attacks by using content related to military facilities as bait.
2. Use the 7z self — extracting program (SFX) to release and load subsequent payloads.
3. Use the open — source tool UltraVNC for subsequent attack behaviors.
4. The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon
organization which conducts attacks against Ukraine.
In the context of the ongoing Russia-Ukraine conflict, the attackers used the content related to military facilities as
bait to launch attacks using open source tools, which undoubtedly wanted to hide themselves through the “fog of
war”. By tracing the source of the sample, we have associated it with Core Werewolf, a group that has launched
multiple attacks against Russia. As is well known, there is another interesting pair of APT attacks that love-hate
relationship in the South Asian region, namely sidewinder and sidecopy. The discovered attack activity this time
mimics the Gamaredon organization that attacks Ukraine, so it can be named GamaCopy.
At the same time, our team also noticed that multiple historical samples of the same type were attributed to the
Gamaredon organization by other security vendors. Obviously, this is a successful false flag operation by the
organization that has deceived some vendors who have not conducted in-depth analysis. This article analyzes this
question in detail as follows:
1. Sample analysis
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 1 of 7

The attacker provided information about the condition and location of Russian armed forces facilities, among
which the bait document in Sample 1 as follows:
Press enter or click to view image in full size
The bait document in Sample 2 is as follows:
Press enter or click to view image in full size
Taking Sample 1 as an example, when opened in the # mode of 7z, you can see the SFX related files contained
within it:
File 2 is the SFX self-extracting installation script, which contains numerous character comments and includes
real running statements. Its main function is to run 2128869258671564.cmd (copied from 2128869258671564).
Press enter or click to view image in full size
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 2 of 7

2128869258671564.cmd is a bat script that uses setlocal enabledelayedexpansion to set local as a delay extension
(used to obfuscate subsequent script content and increase static analysis difficulty)
The script content before obfuscation is as follows:
Press enter or click to view image in full size
After obfuscating the variables, the script is as follows:
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 3 of 7

Press enter or click to view image in full size
The main functions of the script include:
1. Copy Ki58j08O58F68M58q2. PQ87G87O97o67r27Y9 to svod. pdf and run it.
2. Copy yC61y51v51g71p61U4. Eb21h11U11Z31P71F8 to OneDrivers. exe.
3. Copy lC32A32W52T12R02u1.uZ94Y64M14m54z84J3 to UltraVNC.ini.
4. End the OneDrivers. exe process that is already running on the host and rerun OneDrivers. exe.
In fact, the “OneDrivers. exe” mentioned earlier is the main executable of the open-source remote desktop tool
UltraVNC. Attackers rename it as a common process name in the system and connect it to a specified command
server for the purpose of disguising themselves. This helps reduce the vigilance of victims to a certain extent.
2. Attribution Analysis
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 4 of 7

Based on the information obtained from APT organizations, the attack sample may belong to two APT
organizations: Gamaredon or GamaCopy.
Get Knownsec 404 team’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Gamaredon, also known as Shuckworm, Armageddon, and Primitive Bear, has been targeting Ukraine’s military,
non-governmental organizations, judiciary, law enforcement agencies, and non-profit organizations since 2013.
GamaCopy was first discovered in June 2023 and has launched multiple cyberattacks against Russia’s defense and
critical infrastructure sectors by mimicking Gamaredo’s TTPs. It is believed that the organization has been active
since at least August 2021.
Gamaredo has repeatedly utilized 7z-SFX documents and UltraVNC in previous attack activities. After analysis,
we found that the entire attack chain of Gamaredo using UltraVNC has significant differences from the sample
discovered this time. Gamaredo often releases and loads the final UltraVNC through macros, and uses VBS scripts
multiple times in the attack chain. For example, in early 2022, foreign security vendors exposed a Gamaredon
attack on Ukraine, which downloaded subsequent payloads through VBS scripts from multiple planned tasks,
including an example of installing UltraVNC using 7z-SFX[1]. At the same time, we found that Gamaredo used
port 5612 more frequently when using UltraVNC, rather than port 443 used in this sample.
So, does this attack sample belong to the GamaCopy organization? From the initial exposure of BI.ZONE [2], the
structure and code of this sample show considerable overlap with GamaCopy’s tactics. For example, using 7z-SFX documentation to install and execute UltraVNC, using port 443 to connect to the server, and using a large
number of delay extension variables to increase code complexity.
Press enter or click to view image in full size
In addition, we noticed that the bait documents in this sample are military facilities and deployment related. In the
context of the current Russia-Ukraine conflict, such documents are sensitive and interesting from the perspective
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 5 of 7

of defense and attack. However, after we analyzed the proportion of languages used in the past bait documents of
the two organizations, we found that Gamaredon has predominantly used Ukrainian-language bait, while
GamaCopy mainly used Russian-language bait on the contrary.
For example, sample bait targeting personnel related to defense policy at the Russian Ministry of Foreign Affairs:
Press enter or click to view image in full size
An attack using internal orders of one of Russia’s largest joint-stock companies as bait:
Press enter or click to view image in full size
3. Summary
Based on the above analysis, from the perspectives of code similarity, language usage in bait documents, and port
assets, it is more inclined to attribute the attack samples discovered in this case to the GamaCopy organization.
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 6 of 7

Since its exposure, this organization has frequently mimicked the TTPs used by the Gararedon organization and
cleverly used open-source tools as a shield to achieve its own goals while confusing the public.
4. IOC
Hash:
- c9ffc90487ddcb4bb0540ea4e2a1ce040740371bb0f3ad70e36824d486058349
- a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53
- afcbaae700e1779d3e0abe52bf0f085945fc9b6935f7105706b1ab4a823f565f
- 2da473d1f510d0ddbae074a6c13953863c25be479acedc899c5529ec55bd2a65
- 2b2da38b62916c448235038f09c51f226d96087df531b9a508e272b9e87c909d
- f583523bba0a3c27e08ebb4404d74924b99537b01af5f35f43c44416f600079e
C2:
- nefteparkstroy.ru[:]443
- fmsru.ru[:]443
Source: https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon
-uses-560ba5e633fa
https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa
Page 7 of 7